mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/include/trace/events
History
Baokun Li 93064676a2 cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() 
[ Upstream commit da4a827416 ]

We got the following issue in a fuzz test of randomly issuing the restore
command:

==================================================================
BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60
Read of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963

CPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564
Call Trace:
 kasan_report+0x93/0xc0
 cachefiles_ondemand_daemon_read+0xb41/0xb60
 vfs_read+0x169/0xb50
 ksys_read+0xf5/0x1e0

Allocated by task 116:
 kmem_cache_alloc+0x140/0x3a0
 cachefiles_lookup_cookie+0x140/0xcd0
 fscache_cookie_state_machine+0x43c/0x1230
 [...]

Freed by task 792:
 kmem_cache_free+0xfe/0x390
 cachefiles_put_object+0x241/0x480
 fscache_cookie_state_machine+0x5c8/0x1230
 [...]
==================================================================

Following is the process that triggers the issue:

     mount  |   daemon_thread1    |    daemon_thread2
------------------------------------------------------------
cachefiles_withdraw_cookie
 cachefiles_ondemand_clean_object(object)
  cachefiles_ondemand_send_req
   REQ_A = kzalloc(sizeof(*req) + data_len)
   wait_for_completion(&REQ_A->done)

            cachefiles_daemon_read
             cachefiles_ondemand_daemon_read
              REQ_A = cachefiles_ondemand_select_req
              msg->object_id = req->object->ondemand->ondemand_id
                                  ------ restore ------
                                  cachefiles_ondemand_restore
                                  xas_for_each(&xas, req, ULONG_MAX)
                                   xas_set_mark(&xas, CACHEFILES_REQ_NEW)

                                  cachefiles_daemon_read
                                   cachefiles_ondemand_daemon_read
                                    REQ_A = cachefiles_ondemand_select_req
              copy_to_user(_buffer, msg, n)
               xa_erase(&cache->reqs, id)
               complete(&REQ_A->done)
              ------ close(fd) ------
              cachefiles_ondemand_fd_release
               cachefiles_put_object
 cachefiles_put_object
  kmem_cache_free(cachefiles_object_jar, object)
                                    REQ_A->object->ondemand->ondemand_id
                                     // object UAF !!!

When we see the request within xa_lock, req->object must not have been
freed yet, so grab the reference count of object before xa_unlock to
avoid the above issue.

Fixes: 0a7e54c195 ("cachefiles: resend an open request if the read request's object is closed")
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Link: https://lore.kernel.org/r/20240522114308.2402121-5-libaokun@huaweicloud.com
Acked-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com>
Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2024-06-21 14:40:16 +02:00
..
9p.h 9p: prevent read overrun in protocol dump tracepoint 2023-12-05 21:18:44 +09:00
afs.h vfs-6.9.file 2024-03-11 10:37:45 -07:00
alarmtimer.h
asoc.h ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value 2024-05-30 09:44:49 +02:00
avc.h
bcache.h
block.h fs: add CONFIG_BUFFER_HEAD 2023-08-02 09:13:09 -06:00
bpf_test_run.h
bridge.h net: bridge: Add a tracepoint for MDB overflows 2023-02-06 08:48:25 +00:00
btrfs.h btrfs: use the flags of an extent map to identify the compression type 2023-12-15 22:59:02 +01:00
cachefiles.h cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() 2024-06-21 14:40:16 +02:00
cgroup.h
clk.h clk: Add trace events for rate requests 2022-12-07 13:54:09 -08:00
cma.h trace: cma: remove unnecessary event class cma_alloc_class 2023-04-05 19:42:58 -07:00
compaction.h mm: compaction: update the cc->nr_migratepages when allocating or freeing the freepages 2024-02-22 10:24:50 -08:00
context_tracking.h
cpuhp.h
csd.h smp: Change function signatures to use call_single_data_t 2023-09-13 14:59:24 +02:00
damon.h mm/damon/core: use nr_accesses_bp as a source of damos_before_apply tracepoint 2023-10-04 10:32:31 -07:00
devfreq.h
devlink.h devlink: Fix TP_STRUCT_entry in trace of devlink health report 2023-02-15 19:15:44 -08:00
dlm.h fs: dlm: add plock dev tracepoints 2023-08-10 10:33:03 -05:00
dma_fence.h
erofs.h erofs: adapt folios for z_erofs_read_folio() 2023-08-23 23:47:33 +08:00
error_report.h
ext4.h ext4: remove 'needed' in trace_ext4_discard_preallocations 2024-01-18 10:52:45 -05:00
f2fs.h f2fs: add tracepoint for f2fs_vm_page_mkwrite() 2023-12-11 13:37:53 -08:00
fib.h net: Replace strlcpy with strscpy 2023-07-04 19:40:16 +01:00
fib6.h net: Replace strlcpy with strscpy 2023-07-04 19:40:16 +01:00
filelock.h filelock: split leases out of struct file_lock 2024-02-05 13:11:44 +01:00
filemap.h
fs_dax.h
fscache.h fscache: Fix oops due to race with cookie_lru and use_cookie 2022-12-07 11:49:18 -08:00
fsi.h fsi: core: Add trace events for scan and unregister 2023-08-09 15:43:28 +09:30
fsi_master_aspeed.h
fsi_master_ast_cf.h
fsi_master_gpio.h
fsi_master_i2cr.h fsi: Add IBM I2C Responder virtual FSI master 2023-08-11 13:32:14 +09:30
gpio.h
gpu_mem.h
habanalabs.h accel/habanalabs: minor cosmetics update to trace file 2023-10-09 12:37:23 +03:00
handshake.h net/handshake: Trace events for TLS Alert helpers 2023-07-28 14:07:59 -07:00
host1x.h
huge_memory.h mm/khugepaged: skip shmem with userfaultfd 2023-04-18 16:29:52 -07:00
hwmon.h
i2c.h
i2c_slave.h
ib_mad.h IB/mad: Don't call to function that might sleep while in atomic context 2022-11-10 10:57:15 +02:00
ib_umad.h
initcall.h
intel-sst.h
intel_ifs.h platform/x86/intel/ifs: Add current batch number to trace output 2024-01-31 11:57:27 +02:00
intel_ish.h
io_uring.h io_uring: remove 'loops' argument from trace_io_uring_task_work_run() 2024-02-08 13:27:06 -07:00
iocost.h blk-iocost: Trace vtime_base_rate instead of vtime_rate 2022-12-01 07:44:12 -07:00
iommu.h iommu: Remove detach_dev callback 2023-01-13 16:39:18 +01:00
ipi.h trace: Add trace_ipi_send_cpu() 2023-03-24 11:01:29 +01:00
irq.h softirq: Add trace points for tasklet entry/exit 2023-04-15 10:17:16 +02:00
irq_matrix.h
iscsi.h scsi: iscsi: tracing: Use the new __vstring() helper 2022-07-19 11:20:25 -04:00
jbd2.h jbd2: remove journal_clean_one_cp_list() 2023-07-10 23:09:21 -04:00
kmem.h mm: add alloc_contig_migrate_range allocation statistics 2024-03-04 17:01:27 -08:00
ksm.h mm/ksm: add tracepoint for ksm advisor 2023-12-29 11:58:27 -08:00
kvm.h KVM: remove CONFIG_HAVE_KVM_IRQFD 2023-12-08 15:43:33 -05:00
kyber.h kyber: Replace strlcpy with strscpy 2023-07-17 08:18:17 -06:00
libata.h ata: libata: add qc->flags in ata_qc_complete_template tracepoint 2022-06-17 16:30:03 +09:00
lock.h locking/mutex: Make contention tracepoints more consistent wrt adaptive spinning 2022-04-05 10:24:36 +02:00
maple_tree.h Maple Tree: add new data structure 2022-09-26 19:46:13 -07:00
mce.h
mctp.h
mdio.h
migrate.h mm/migrate: add nr_split to trace_mm_migrate_pages stats. 2023-10-25 16:47:13 -07:00
mlxsw.h
mmap.h mm: mmap: remove newline at the end of the trace 2023-03-23 17:18:36 -07:00
mmap_lock.h
mmc.h
mmflags.h mm: turn folio_test_hugetlb into a PageType 2024-04-24 19:34:26 -07:00
module.h
mptcp.h net: implement lockless SO_MAX_PACING_RATE 2023-10-01 19:09:54 +01:00
napi.h net: dqs: add NIC stall detector based on BQL 2024-03-08 10:23:26 +00:00
nbd.h
neigh.h neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section 2023-10-18 11:16:43 +01:00
net.h net: fix net_dev_start_xmit trace event vs skb_transport_offset() 2023-07-03 09:13:23 +01:00
net_probe_common.h
netfs.h netfs: Implement a write-through caching option 2023-12-28 09:45:27 +00:00
netlink.h
nilfs2.h fs/nilfs2: Use the enum req_op and blk_opf_t types 2022-07-14 12:14:33 -06:00
nmi.h
notifier.h notifiers: add tracepoints to the notifiers infrastructure 2023-04-08 13:45:38 -07:00
objagg.h
oom.h mm: update mark_victim tracepoints fields 2024-03-04 17:01:16 -08:00
osnoise.h
page_isolation.h
page_pool.h page_pool: split types and declarations from page_pool.h 2023-08-07 13:05:19 -07:00
page_ref.h
pagemap.h
percpu.h include/trace/events/percpu.h: cleanup for "percpu: improve percpu_alloc_percpu event trace" 2022-05-25 10:47:48 -07:00
power.h cpuidle: Add cpu_idle_miss trace event 2022-08-03 17:50:58 +02:00
power_cpu_migrate.h
preemptirq.h
printk.h
pwc.h
pwm.h pwm/tracing: Also record trace events for failed API calls 2022-12-06 12:46:23 +01:00
qdisc.h tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string 2024-03-04 09:35:54 +00:00
qla.h scsi: qla2xxx: tracing: Use the new __vstring() helper 2022-07-19 11:20:25 -04:00
qrtr.h net: qrtr: correct types of trace event parameters 2023-04-04 18:58:43 -07:00
rcu.h RCU Changes for 6.4: 2023-04-24 12:16:14 -07:00
rdma_core.h
regulator.h
rpcgss.h SUNRPC: Fix rpcgss_context trace event acceptor field 2024-04-10 19:01:30 -04:00
rpcrdma.h svcrdma: Move write_info for Reply chunks into struct svc_rdma_send_ctxt 2024-03-01 09:12:28 -05:00
rpm.h PM: runtime: add tracepoint for runtime_status changes 2024-02-22 20:27:39 +01:00
rseq.h tracing/rseq: Add mm_cid field to rseq_update 2022-12-27 12:52:15 +01:00
rtc.h
rv.h rv/monitor: Add the wwnr monitor 2022-07-30 14:01:30 -04:00
rwmmio.h asm-generic/io: Add _RET_IP_ to MMIO trace for more accurate debug info 2022-11-21 22:02:10 +01:00
rxrpc.h rxrpc: Use ktimes for call timeout tracking and set the timer lazily 2024-03-05 23:35:25 +00:00
sched.h sched: Remove vruntime from trace_sched_stat_runtime() 2023-11-15 09:57:49 +01:00
scmi.h include: trace: Add platform and channel instance references 2023-01-20 11:40:57 +00:00
scsi.h scsi: core: Trace SCSI sense data 2023-05-31 11:05:34 -04:00
sctp.h
signal.h
siox.h
skb.h net: add location to trace_consume_skb() 2023-02-20 08:28:49 +00:00
smbus.h
sock.h inet: preserve const qualifier in inet_sk() 2023-03-17 08:56:37 +00:00
sof.h ASoC: SOF: replace ipc4-loader dev_vdbg with tracepoints 2022-09-19 15:44:08 +01:00
sof_intel.h ASoC: SOF: Intel: replace dev_vdbg with tracepoints 2022-09-19 15:44:06 +01:00
spi.h spi: Fix spelling typos and acronyms capitalization 2023-07-11 14:14:32 +01:00
spmi.h spmi: trace: fix stack-out-of-bound access in SPMI tracing functions 2022-07-24 16:16:44 +02:00
sunrpc.h Tracing updates for 6.9: 2024-03-18 15:11:44 -07:00
sunvnet.h
swiotlb.h swiotlb: make the swiotlb_init interface more useful 2022-04-18 07:21:11 +02:00
syscalls.h
target.h
task.h tracing: Replace strlcpy with strscpy in trace/events/task.h 2023-09-01 21:00:00 -04:00
tcp.h tcp: Add skb addr and sock addr to arguments of tracepoint tcp_probe. 2024-03-08 10:25:47 +00:00
tegra_apb_dma.h
thermal_pressure.h arch_topology: Trace the update thermal pressure 2022-05-06 09:57:38 +02:00
thp.h powerpc/book3s64/mm: enable transparent pud hugepage 2023-08-18 10:12:55 -07:00
timer.h tracing/timers: Add tracepoint for tracking timer base is_idle flag 2023-12-20 16:49:38 +01:00
timer_migration.h timer_migration: Add tracepoints 2024-02-22 17:52:32 +01:00
tlb.h
udp.h
ufs.h scsi: ufs: core: Include the SCSI ID in UFS command tracing output 2023-09-13 20:44:59 -04:00
v4l2.h
vb2.h
vmalloc.h mm: vmalloc: add free_vmap_area_noflush trace event 2022-11-08 17:37:17 -08:00
vmscan.h mm, vmscan: remove ISOLATE_UNMAPPED 2023-10-04 10:32:29 -07:00
vsock_virtio_transport_common.h vsock/virtio: MSG_ZEROCOPY flag support 2023-09-21 12:34:00 +02:00
watchdog.h watchdog: Add tracing events for the most usual watchdog events 2022-10-12 09:47:02 +02:00
wbt.h blk-wbt: Replace strlcpy with strscpy 2023-07-17 08:18:17 -06:00
workqueue.h workqueue: Fix type of cpu in trace event 2022-06-07 07:09:47 -10:00
writeback.h writeback: fix dereferencing NULL mapping->host on writeback_page_template 2023-06-19 13:19:31 -07:00
xdp.h net: invert the netdevice.h vs xdp.h dependency 2023-08-03 08:38:07 -07:00
xen.h x86/xen: move paravirt lazy code 2023-09-19 07:04:49 +02:00